SOLVED

Missing alerts from MDI, suspicious additions to sensitive groups

Brass Contributor

Hi there!

 

Without going into specific details about how and what have happened I can clearly say that we are missing at least two alerts regarding suspicious additions to sensitive groups. 

 

What I can say is that we don't have any exclusions on that rule in MDI but still we had new members in one group without any alert. Can see the additions in the legacy portal (portal.atp.azure.com) but not classified as suspicious for some reason, meanwhile another addition to the same group raised an alert the day after.

 

What can be the issue and how can make it so that it does not happen again? 

 

 

10 Replies

Don't forget to mark helpful and like my comment if you find helpful

If you are experiencing missing alerts from Microsoft Defender and suspicious additions to sensitive groups, it could be an indication of a potential security threat or a misconfiguration of your system. Here are some steps you can take:

1. Check the configuration of Microsoft Defender: Make sure that Microsoft Defender is properly configured and that all the necessary features are enabled. Check if the alert settings are properly configured and if there are any exclusions that might be affecting the detection of suspicious activities.
2. Run a full system scan: Perform a full system scan using Microsoft Defender to identify any potential malware or other security threats on your system.
3. Check group membership: Verify the membership of sensitive groups to ensure that only authorized users have access. Review the audit logs to determine if there have been any unauthorized changes to group membership.
4. Investigate suspicious activities: If you identify any suspicious activities or changes, investigate them further to determine the cause and take appropriate action. This could include disabling compromised accounts, revoking privileges, and changing passwords.
5. Consider getting help: If you are unable to resolve the issue on your own, consider getting help from a qualified security professional or Microsoft support. They can help you investigate and address the issue to ensure the security of your system.
Remember that prevention is always better than cure. Regularly updating your software and implementing strong security practices can help prevent security incidents before they occur.

best response confirmed by denkajohansson (Brass Contributor)
Solution
We tested this detection for the first time this week and also found that it doesn't work. Currently have a support case open with Microsoft but no real progress yet. At the time of the group membership change, the log file (C:\Program Files\Azure Advanced Threat Protection Sensor\#\Logs\Microsoft.Tri.Sensor.log) has a line starting with:
[timestamp] Warn EventActivityEntityResolver ResolveDirectoryServicesChangeEventAsync directoryServicesChangeEvent ....
Not yet sure if this is significant or not.
Hi and thanks for your response.

Defender is configured properly and all features are enabled. There are no exclusions that would not make in an alert.
Im nog going to bother about question number two, that would been identified much earlier.

The group membership has been checked and the members where changed, without an alert. And this has also been resolved.

The thing is that somehow MDI classes some additions as Alerts and some it just skips even that the group is marked as a sensitive group.
Please keep me updated with the issue, seems like we have the same issue as you guys.
Will go ahead and check the logs like you mentioned in your post and will create a support case myself.
In some cases I also agree. MICROSOFT DEFENDER have to go a long way brother. dont think you will get much help in this case now
This is most likely due to the learning period of the Alert itself. - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts#susp...

Key wording here is "Abnormal"

Advanced hunting has options for sensitive audits. Please feel free to use M365D's advanced hunting to see further options with groups - https://techcommunity.microsoft.com/t5/security-compliance-and-identity/track-changes-to-sensitive-g...
Without saying to much its probably not the learning period since we had this setup for over two years now.

Regarding the abnormal part its possible that its not abnormal with the account that was used but abnormal with what kind of users that was added.
We do have a support case open regarding this.
The conclusion of our case was that the due to the learning period, MDI didn't believe that these sensitive group additions were unusual. This was confirmed by switching on the option "Remove learning period" and confirming that the alert now started triggering more readily. This makes the alert basically useless for us, so I was advised to submit feedback using the feedback button in the Defender admin console.
The support agent did mention that we can set up a rule in Defender for Cloud Apps that will emulate this detection, which I have started testing and seems to work well. We've also set up an email alert in Scheduled Tasks that triggers on event ID 4728, because this fires off much more quickly than any of the Defender alerts.
1 best response

Accepted Solutions
best response confirmed by denkajohansson (Brass Contributor)
Solution
We tested this detection for the first time this week and also found that it doesn't work. Currently have a support case open with Microsoft but no real progress yet. At the time of the group membership change, the log file (C:\Program Files\Azure Advanced Threat Protection Sensor\#\Logs\Microsoft.Tri.Sensor.log) has a line starting with:
[timestamp] Warn EventActivityEntityResolver ResolveDirectoryServicesChangeEventAsync directoryServicesChangeEvent ....
Not yet sure if this is significant or not.

View solution in original post